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Abstract 

Recently, Pareek et al. proposed a symmetric key block cipher using multiple one- 
dimensional chaotic maps. This paper reports some new findings on the security 
problems of this kind of chaotic cipher: 1) a number of weak keys exists; 2) some 
important intermediate data of the cipher are not sufficiently random; 3) the whole 
secret key can be broken by a known-plaintext attack with only 120 consecutive 
known plain-bytes in one known plaintext. In addition, it is pointed out that an 
improved version of the chaotic cipher proposed by Wei et al. still suffers from all 
the same security defects. 
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1 Introduction 



Due to some close and subtle relation between statistical properties of chaotic 
systems and cry ptosy stems, the idea of utilizing chaos to design digital ciphers 
and analog secure communication schemes has been attracting more and more 
attention during the past two decades [?, 1,2]. 

Since 2003, Pareek et al. proposed three different cryptosystems based on one 
or more one-dimensional chaotic maps [3-5]. Unlike most existing chaotic ci- 
phers [1], in the ciphers of Pareek et al., the initial conditions and/or the 
control parameter are not used as the secret keys, but derived from an ex- 
ternal key instead, with the goal of obtaining a new way to achieve a higher 
level of security. The chaotic ciphers proposed in [3] and [4] have been crypt- 
analyzed by Alvarez et al. in [6], and by Wei et al. in [7], respectively. Wei et 
al. further proposed a remedy to improve the security of the original cipher 
against known-plaintext attacks. 

This paper re-examines the security of the chaotic cipher designed in [4] and 
its improved version suggested in [7] . Three new security problems of the orig- 
inal cipher that were not reported in [7] arc found: 1) there are a number of 
weak keys that cannot encrypt the plaintexts at all; 2) some important inter- 
mediate data of the cipher are not sufficiently random; 3) the secret key can 
be completely broken by a known plaintext attack with only 120 consecutive 
known plain-bytes in just one known-plaintext. In addition, it is found that 
the improved cipher developed in [7] still suffers from the same problems, thus 
failing to enhance the original cipher's security. 

The rest of the paper is organized as follows. The next section gives a brief 
introduction to the original cipher of Pareek et al. and its improved version. 
Section 3 focuses on the above-mentioned security problems of the two chaotic 
ciphers under study. The last section concludes the paper. 



2 The Cipher of Pareek et al. and its Improved Version 

In the original cipher of Pareek et al. [4], the plaintext and the ciphertext 
are both arranged with 8- bit blocks, i.e., arranged byte by byte as follows: 
P — P1P2 • • • P„ and C — C1C2 • • • C„, where Pj, Cj are the i-th plain- byte 
and the i-th cipher-byte, respectively. 

The secret key used in the cipher is a 128-bit integer represented as K ~ 
K1K2 ■ ■ ■ i^i6, where e {0, 1, • • • , 255} which is called the i-th sub-key in 
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this paper ^ . The secret key is used to generate the initial conditions of four 
chaotic maps and the contents of two dynamic tables. Then, each plain-byte is 
masked by the output of one randomly-selected chaotic map after a number of 
iterations, under the control of the two dynamic tables. After a group of plain- 
bytes is encrypted, the two dynamic tables are updated following the current 
chaotic state of the selected chaotic map. The number of chaotic iterations and 
the group size are varying instead of being fixed. More precisely, the chaotic 
cipher works as follows. 

(1) The following four chaotic maps are marked with map number N — 

0, 1, 2, 3, respectively. 

• N — - logistic map: f{x) = \x{l — x); 



• N = 2- sine map: f{x) = Asin(7ra;); 

• N — 3 - cubic map: f{x) = Xx{l — x^). 

In [4], the control parameters of the above four chaotic maps are as- 
signed as A = 3.99, A = 1.97, A = 0.99 and A = 2.59, respectively. 
(2) The first dynamic table (DTI) stores the initial conditions (IC) of the 
four chaotic maps. Before the encryption process starts, the four initial 
conditions are all set to be the following value ^ : 



(3) Each entry of the second dynamic table (DT2) stores three distinct val- 
ues: the selected chaotic map that encrypts a group of plain-bytes, the 
number of plain-bytes in a group that is encrypted by the corresponding 
chaotic map, and the number of iterations of the corresponding chaotic 
map for encrypting each plain-byte, which are denoted by N, B and IT, 
respectively. Given a linear congruential pseudorandom number generator 



the three values of the n-th entry in DT2 are determined as follows^ : 

^ In [4], Ki is called "session key". However, such a term may cause some confu- 
sion, since "session keys" are generally used to denote randomly- generated keys in 
cryptographical protocols. 

^ Note that we use an equivalent formula to replace Eqs. (4) and (5) in [4], trying 
to give a clearer representation. Here "mod 1" means subtracting the integer part 
and keeping only the fractional part, which lies in the half-open interval [0, 1). 
^ Note that Yq is not confined in {0, • • • , 15}, so it is just used as the seed of the 
LCG and should not be considered as part of the LCG sequence to generate the 






(LCG), 



^0= [100 X ICJ, 

Yn — (5y„_i -I- 1) mod 16, when n > 1, 



(2) 
(3) 



3 



Nn = Yn mod 4, 

B =y 



In [4], it's said that DT2 has a number of rows equal to the total 
number of session keys, which means that the number of entries in DT2 
is 16. 

(4) The encryption process runs by reading each entry of DT2. For the n- 
th entry, the chaotic map marked with number is chosen to encrypt 
a group of Bn plain-bytes. Each plain-byte Pj is masked by the chaotic 
state after IT„ iterations of the chosen chaotic maps, according to the 
following rule: 

C, = (Pi + LX.ew ■ lO'j) mod 256. (7) 

After each plain-byte is encrypted, IC of the chosen chaotic map in DTI 
is updated as Xncw Once DT2 is exhausted, substitute the latest value 
of IC in DTI into Eq. (2) to reset Yq, and then repeat Eqs. (3) to (6) for 
16 times to update all entries of DT2 for future encryption. 

(5) The decryption procedure is similar to the above encryption procedure, 
by replacing Eq. (7) with the following one: 

Pi = {Ci - [Xr^eu, ■ lO'j) mod 256. (8) 

Wei et al. in [7] pointed out that the above cipher works like a stream cipher, 

so a key-stream {{Ci — Pi) mod 256} can be constructed in known-plaintext 
attacks and then be used as an equivalent of the secret key K to decrypt other 
ciphertexts. To overcome this security problem, Wei et al. suggested a remedy 
to modify Eq. (4), as follows: 

Nn = {Yn mod 4) © (^0 Pi mod 4^ , (9) 

where Pi is the i-th plain-byte, © denotes the bitwise XOR operation, and 



3 Cryptanalysis 

In addition to the defect of the original cipher of Pareek et al. [4] pointed out 
in [7], we found some other security problems that exist in both the original 
cipher and the improved version proposed in [7]. 

entries of DT2. 
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3.1 Weak Keys 



Observing Eq. (1), one can see the number of all possible values of IC is only 
256 = 2^, namely, 256 ~ HI" ^^^^^ a; = is a fixed point common to all the four 
chaotic maps, IC = ^ will cause all chaotic states to be zero, which means 
that Ci = Pi, Vi. In this case, the chaotic cipher does not work at all and 
the corresponding key is an extremely weak key. To make IC = 2|g, one has 
ElliKi = (mod 256). Then, one can calculate the number of such weak 
keys to be 2^^^^/256 = 2^^^^ = 2^"^^. Figure 1 shows the encryption result 
when a weak key K = 61624D51595F888A434487885C5E483L' (represented 
in hexadecimal format) is used to encrypt a sinusoidal waveform. 

Additionally, to ensure a higher level of security, the value of IT should not be 
too small, which means that each sub- key should not be too short. This will 
further reduce the key space. 




1 124 256 384 512 640 768 896 1024 

b) the ciphertext 

Fig. 1. The encryption result of a sinusoidal waveform with one weak key, 
"61624D51595F888A434487885C5E483D". 

Finally, it is worth mentioning that the same kind of weak keys also exists 
in the chaotic cipher proposed by Pareek et al. in [3], due to the similarity 
between the two ciphers. This weakness had not been pointed out in Alvarez 
et al.'s cryptanalysis paper [6]. 
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3.2 Weak Randomness of DT2 



The second dynamic table DT2 is generated in a pseudorandom way using a 
LCG and controlled by the secret key. Such generators are easy to implement 
and pass many statistical tests, thus leading to believe that they arc good 
candidates for generating strong pseudorandom sequences for cryptographical 
applications. However, these sequences are predictable: given a piece of the 
sequence, it is possible to reconstruct all the rest even if the parameters are 
unknown [?] . Therefore, the use of linear congruential generators in cryptog- 
raphy is totally discouraged. Furthermore, the choice of parameters for the 
LCG in [4] is most unfortunate. Using a prime number as the modulus of the 
LCG would have yielded better results, but by using 16 as modulus, the ran- 
domness of its sequences is null. In fact, the sequence is a unique cycle where 
the start value is the seed of the LCG. The known-plaintext attack discussed 
in the next subsection benefits from the lack of randomness of DT2, which 
reduces the attacking complexity. 

In the following, we prove some mathematical results on the LCG sequence 
{y„} and the map-number sequence {N^}. It can be seen that the two se- 
quences are far from having "good" randomness. 

Lemma 1 Given a sequence { V„}, where F„ = {bYn-i + 1) mod 16 for n>2. 
We have = (s^Fo + E°=n-i 5^) mod 16. 

Proof: We prove this lemma via mathematical induction. 
When n — l,Yi — (SIq + 1) mod 16, so the lemma is true. 



Assuming Yn = (^5"lo + Yl^i=n-i ^) niod 16 holds for 1 < n < A;, we prove the 
lemma for the case oi n = k + 1 >2. From Y^ = (51^_i -|- 1) mod 16, we have 

n+i = (5n + 1) mod 16 





y'^'^o + E 5' j lej + 1 1 mod 16 
= (5 I S^Yo + E + A 16 



i=k-l 



= U''+^Yo + E 5') mod 16. 

V i=k / 



Thus, the lemma is proved. ■ 
Theorem 1 Given a sequence {Vn}n>i; where Y„ — {5Yn-i + 1) mod 16 for 
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n>2. We have = {2n'^ + {4Yo - l)n + Yo) mod 16. 
Proof: Prom Lemma 1, we have 



(0 \ . — I 

S^Fo + E 5*1 mod 16 = (^5"Fo + ^^jy ) mod 16 

= ^(1 + 4)"yo + il±^^ j mod 16 



=0 \^ 



= 1^(1 + 4n)Fo + + (^yjj "^^d 16 
= (271^ + (4^0 - l)n + Yo) mod 16. 



This completes the proof of the theorem. ■ 

Corollary 1 Given a sequence {Yn}n>i, where Y^ = {bY^-i + 1) mod 16 for 
n >2. It has a period of 16. 

Proof: Assume the period of the sequence {Yn} is T. From Theorem 1, we can 
get y„+i6 - = (mod 16). This means that r|16, i.e., T e {1, 2, 4, 8, 16}. 
Again, from Theorem 1, we have 



y„+8 -Yn= (2(n + 8)2 + (4^0 - l)(n + 8) + Yo) 

- (2n^ + (AYo - l)n + Yo) (mod 16) 
= 8 (mod 16). 



Since Yn,Yn+s ^ {0, ■ ■ ■ ,15}, the above result means F^+g ^ Fg. That is, 
T > 8 =^ T = 16, which proves the corollary. ■ 

Remark 1 From Theorem 1, it is obvious that there are only 16 distinct se- 
quences of {Yn}n>i, shown as follows (Yi ~ Yiq): 
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It can be seen that the 16 sequences actually represent the same sequence with 
different starting points. This is a common feature of discrete maps defined 
over a finite field and with a maximal period [8]. 

Corollary 2 Given a sequence {V„}n>i7 where = (5F„_i + 1) mod 16 for 
n>2. Then, for any n > 0, {y„, 1^+4, i^+s, ^+12} fnust be one of the follow- 
ing four sets: {0, 12, 8, 4}, {1, 13, 9, 5}, {2, 14, 10, 6} and {3, 15, 11, 7}. 

Proof: From Theorem 1, Yn+i -Yn = (2(n + + (4Fo - l)(n + 4) + Yq) - 
(2n2 + (4^0 - l)n + Yq) = (4^0-1)4 = -4 (mod 16). Since y„ e {0, 1, • • • , 15}, 
the coroUary is immediately proved. (The corollary can also be proved by ex- 
haustively examining all 16 distinct sequences of ■ 

Theorem 2 Given a sequence {Yn}n>i, where Yn = (51^-1 + 1) mod 16 for 
n >2. Then, assuming — Y^ mod A, we have — {n-\- Yq) mod 4. 

Proof: Substituting the result of Theorem 1 into Nn = Yn mod 4, we have 
N„ = Y„ mod 4 = (2^^ + (4Fo - l)n + Yq) mod 4 = {2n'^ - n + Yq) mod 4. 
Note that {2n^ - n) - n = 2n{n - 1) = (mod 4), so 2n^ - n = n (mod 4). 
This immediately leads to Nn — {n + Yq) mod 4 and proves the theorem. ■ 
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Corollary 3 Given two sequences {Yn}n>i md {iV„}„>i, where Yn = {5Yn-i+ 
1) mod 16 for n > 2 and = Yn mod 4. Then, the sequence {A^n}n>i has a 
periodicity of 4, and must be one of the following four sequences: {1,2,3,0, • • •}, 
{2,3,0,1,---}, {3,0,1,2,---} and {0, 1, 2, 3, ■ ■ • }. 

Proof: This corollary is a straightforward consequence of Theorem 2. ■ 



3.3 Breaking the Secret Key by a Known- Plaintext Attack 

In [7, Sec. 4] , Wei et al. pointed out that the original cipher of Parcck ct al. 
is vulnerable to known-plaintext attacks. However, Wei et al.'s attack does 
not break the secret key itself, but only reveals an equivalent of the secret 
key - the key stream {(Cj — Pi) mod 256 — lXaew,i ■ lO^J mod 256}. The main 
disadvantage of this attack is that it can only break a ciphertext as long as the 
keystream recovered. In the real world, this means than long messages might 
not be broken if a previous message just as long is not known. 

In this section, we report a practical known-plaintext attack to completely 
reveal the secret key, with only 120 consecutive known plain-bytes in just one 
known plaintext, with rather small computational complexity. This attack is 
very practical in real world scenarios. 

Prom Corollary 3, one can see that for all n e {1,2,3,4}, the plain-bytes 
in the n, {n + 4), (n + 8), (n + 12)-th groups are encrypted by the chaotic 
map numbered with A^„ = = = ^n+i2- At the same time, from 

Corollary 1, the 16 ITs in DT2 form a permutation of the 16 sub-keys Ki, • • • , 
KiQ. The two facts mean that we can try to separately break the sub-keys 
used for each chaotic map. If such a divide-and-conquer (DAC) attack really 
works, the total complexity of revealing all 16 sub-keys will be dramatically 
reduced as compared with exhaustively searching them throughout the whole 
key space. 

It is found that a three-stage DAC attack shown below works well following 
the above idea. 

• Stage 1 - exhaustively guessing IC in Eq. (1) and 4. sub-keys (i.e., Y£s) used 
by one chaotic map numbered with N^. 

For each guessed value of IC, the chaotic map is chosen to ensure that 
{Bn, Bn+4, Bn+8, Bn+12} docs uot Contain zero^. To eliminate incorrectly 
guessed values of IC, the repeated use of IT„ in each group is employed - 



^ Corollary 3 ensures that there are always three chaotic maps of this kind. We can 
randomly choose one from the three. 
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all Bn chaotic states in the n-th group should correspond to the same value 
of [X„ew X lO^J mod 256 = {Q - Pi) mod 256. 

The output of this stage will be some candidate values of IC, each of which 
corresponds to 4 revealed sub-keys. Without loss of generality, assume that 
the chaotic map has a uniform invariant distribution. Then, we can calculate 
the probability of getting a wrong candidate value 



^ 256'^"'^'^"+*'^'^"+*'^'^"+i2 
It follows from Corollary 3 that 

zoo _ 2rf.-24 _ 0-192 

' - 2561+13+9+5 - - ^ ■ 

To further minimize the value of Pe, for each guessed value of IC, one can 
chose the map corresponding to {Bn, Bn+i, Bn+s, -Bn+12} = {3, 15, 11, 7}. In 
this way Pe will be minimized to be 2567256-'^+i-^+"+^ = 256-^2 ^ 2-^^^. 
Thus, it is an extremely rare event to get more than one candidate value of 
IC in practice ^ . 

Stage 2 - exhaustively searching other 11 sub-keys (i.e., ITs) used by other 
three chaotic maps. 

Once the value of IC is determined, we can use a similar method in Stage 
1 to determine the sub-keys used by other three chaotic maps. Note that the 
sub-key corresponding to Bn — cannot be found, since no any plain-byte 
is encrypted with this sub-key. So, only 11 sub-keys can be revealed in this 
stage and the last one is left for the next stage. 
Stage 3 - revealing the last unknown sub-key via Eq. (1). 

In the above two stages, one can successfully get the value of IC and break 
15 sub-keys. The last sub-key can be determined via Eq. (1). Assuming the 
undetermined sub-key is Kj, we have 



Kj = 256 X IC - 



l<i<16 



mod 256. (10) 



Now, let us estimate the computational complexity of this attack. First, the 
computational complexity of Stage 3 is very small, so we can consider only 
the first two stages. By enumerating the number of guessed values of IC and 
the number of all chaotic iterations, we can deduce that the computational 

complexity of Stage 1 is not greater than 0(255 x 256 x (3 + 15 + 11 + 7)) ~ 
0(2^1) and Stage 2 is not greater than 0(256 x (3 + 15 + 11 + 7 + 2 + 14 + 
10 + 6 + + 12 + 8 + 4)) pa 0{2^^--'). As a whole, the total complexity of 



^ Even when such a rare event happens, one can verify all the candidate values by 
choosing another chaotic map. This will further eliminate wrong candidate values 
and eventually leave only the correct one. 
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the DAC attack is mainly determined by Stage 1, which is not greater than 
0(2^^). Attacks with such small complexity can be easily carried out on a PC. 

Besides the very small computational complexity, the required number of 
known plain-bytes in an attack is also very small - only Bi = i = 120 
plain-bytes in one known plaintext are enough. 

The above analysis shows that the proposed DAC attack is very efficient. To 
further validate the feasibility of the attack, a real attack was carried out with 
one known plaintext as shown in Fig. la) and the corresponding ciphertext 
shown in Fig. 2. The breaking results obtained in all the three stages are given 
in Table 1. With the broken sub- keys, one can immediately get the whole se- 
cret key, K = Ki---KiG = BCDA178E51213U22E859F08QE2E88AF (rep- 
resented in hexadecimal format). 




Fig. 2. The ciphertext of the sinusoidal waveform shown in Fig. la), with 
K = BCDAn8E51213U22E859F086E2E884:F. 

3.4 Security Problem of Wei et al. 's Version 

The improved version of the original cipher, proposed by Wei et al. in [7] , em- 
ploys plaintext feedback to enhance the security against the simple keystream- 
based known-plaintext attack. However, even this cipher cannot resist the 
DAC attack proposed-above in this paper, because this attack does not de- 
pend on the relation between the keystream and the plaintext. Of course, in 
the cipher of Wei et al., because the periodicity of {A^„}„>i is destroyed by the 
plaintext feedback, the performance of the DAC attack may be complicated 
slightly. The main influence includes the following two aspects. 

First, in Stage 1, the plaintext feedback influences the manner of choosing 
the target chaotic map, since now the n-th chaotic map generally does not 
correspond to {Bn, -Bn+4, Bn+s, -Bn+12}, but to a set -Bna, ■ ■ ■ , -BnJ whose 
size depends on the plaintext. To minimize the value of Pg, we should choose 
the target chaotic map as the one with the maximal value of J2]=i Bn,- Since 
Ef=iBj = Ef=iU - 1) = 120, we can deduce E}=i > 120/4 = 30. This 
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Table 1 

The stage-by-stage breaking results of a real example of the proposed known- 
plaintext attack. 





Stage 1 


Stage 2 


Stage 3 


IC 


237 

256 






Kli = ITi 


146 






= IT2 




23 




/Vi2 = IT:-! 




8 




Kg = IT4 




46 




Kio = IT5 


133 






Ki5 = ITq 




136 




Ks = IT7 




66 




K5 = ITg 




81 




Kq = IT9 


33 






Ku = ITio 




159 




K4 = ITn 




142 




Ki = IT12 






188 


K2 = IT13 


218 






Kr = IT14 




49 




KiG = IT15 




79 




Ki3 = IT16 




110 





means that Pg < ~ = 2 So, it is still an extremely rare event 

to get more than one candidate value after Stage 1 is completed. 

Second, in Stage 2, for one or two chaotic maps, the value of Z]}=i may not 
be large enough to uniquely determine the values of some sub-keys. In this case, 
only 120 plain-bytes will not be enough to recover all sub-keys. Nevertheless, 
the probabihty of this event is not too large ^ , so these undetermined sub- keys 
will be gradually broken with the accumulation of more known plain-bytes. 

Finally, the following two points on the security of Wei et al.'s improved ci- 
pher are worth mentioning: 1) in the chosen-plaintext counterpart of the DAC 
attack, the plaintext feedback mechanism can be completely circumvented by 

^ It is not easy to theoretically deduce this probability. Assuming all chaotic maps 
satisfy < 10""^, we found the probability is not greater than 0.06 with 300,000 
random experiments in Matlab. 
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choosing all plain-bytes to be zero; 2) the plaintext feedback cannot rule out 
the existence of weak keys and the weak randomness of {Bn}n>i- To sum up, 
Wei et al.'s remedy is not essentially improving the security of the original 
cipher of Pareek et al. 



4 Conclusions 

In this paper, the security of a recently-proposed cipher based on multiple one- 
dimensional chaotic maps [4] has been re-examined, showing that a previous 
cryptanalysis [7] did not reveal many major security problems. As a result, a 
number of weak keys and weak pseudorandomness of some intermediate data 
were discovered and distinguished, and an efficient known-plaintext attack can 
be recommended to completely reveal the whole secret key. The proposed at- 
tack has a very small computational complexity, which works with only 120 
plain- bytes in one known plaintext. In addition, it is found that an improved 
version of the original cipher, proposed in [7], also suffers from the same se- 
curity problems. The cryptanalysis given in this paper thus discourages the 
use of the chaotic cipher proposed in [4, 7] , especially when known-plaintext 
attacks are possible. 
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